In July 2023, our proactive habits guidelines triggered on an try and load a driver named pskmad_64.sys (Panda Reminiscence Entry Driver) on a protected machine. The motive force is owned by Panda Safety and utilized in lots of their merchandise.
Because of the rise in professional driver abuse with the purpose of disabling EDR merchandise (a difficulty we examined in our piece on compromised Microsoft signed drivers a number of months in the past), and the context through which that driver was loaded, we began to analyze and dove deeper into the file.
After re-evaluation and engagement with the client, the unique incident was recognized as an APT simulation take a look at. Our investigation, nonetheless, led to the invention of three distinct vulnerabilities we reported to the Panda safety group. These vulnerabilities, now tracked as CVE-2023-6330, CVE-2023-6331, and CVE-2023-6332, have been addressed by Panda. Data from Panda on the vulnerabilities and fixes for them might be discovered as famous for every CVE under.
Findings by CVE
CVE-2023-6330 (Registry)
Description
The registry hive REGISTRYMACHINESOFTWAREMicrosoftHome windows NTCurrentVersion incorporates a number of helpful items of data used to find out the OS model. The CSDVersion represents the Service Pack stage of the operation system. CSDBuildNumber is the variety of the corresponding construct.
The motive force pskmad_64.sys doesn’t correctly validate the content material of those registry values. An attacker can place maliciously crafted content material into CSDBuildNumber or CSDVersion, which leads to a non-paged reminiscence overflow.
Impression
The minimal affect is a denial of service. With extra analysis, an attacker would possibly have the ability to obtain RCE by chaining CVE-2023-6330 with different vulnerabilities. The CVSS base rating for this vulnerability is 6.4 and Panda assesses it as being of medium potential affect.
The complete advisory for this difficulty is on the market on the WatchGuard website as WGSA-2024-00001, “WatchGuard Endpoint pskmad_64.sys Pool Reminiscence Corruption Vulnerability.”
CVE-2023-6331 (OutOfBoundsRead)
Description
By sending a maliciously crafted packet through an IRP request with IOCTL code 0xB3702C08 to the driving force, an attacker can overflow a non-paged reminiscence space, leading to a memory-out-of-bounds write. The vulnerability exists on account of lacking bounds verify when transferring knowledge through memmove to a non-paged reminiscence pool.
Impression
The minimal affect is a denial of service. With extra analysis, an attacker would possibly have the ability to obtain distant code execution when CVE-2023-6331 is mixed with different vulnerabilities. The CVSS base rating for this vulnerability can be 6.4, however Panda assesses it as being of excessive potential affect.
The complete advisory for this difficulty is on the market on the WatchGuard website as WGSA-2024-00002, “WatchGuard Endpoint pskmad_64.sys Out of Bounds Write Vulnerability.”
CVE-2023-6332 (Arbitrary Learn)
Description
On account of inadequate validation within the kernel driver, an attacker can ship an IOCTL request with code 0xB3702C08 to learn immediately from kernel reminiscence, leading to an arbitrary learn vulnerability.
Impression
The attacker can use this vulnerability to leak delicate knowledge, or chain it with different vulnerabilities to craft a extra refined and higher-impact exploit. The CVSS base rating for this vulnerability is 4.1, and Panda assesses it as being of medium potential affect.
The complete advisory for this difficulty is on the market on the WatchGuard website as WGSA-2024-00003, “WatchGuard Endpoint pskmad_64.sys Arbitrary Reminiscence Learn Vulnerability.”
Affected Merchandise
The file we investigated has the SHA256 worth 2dd05470567e6d101505a834f52d5f46e0d0a0b57d05b9126bbe5b39ccb6af68 and file model 1.1.0.21. Out of an abundance of warning, whereas Panda undertook its investigation, we handled all earlier variations of the file as probably weak as we awaited the outcomes of Panda’s personal investigation; their investigation confirmed this method.
As acknowledged in Panda’s advisories, the affected driver is included within the following merchandise:
- WatchGuard EPDR (EPP, EDR, EPDR) and Panda AD360 as much as 8.00.22.0023
- Panda Dome as much as 22.02.01 (Important, Superior, Full, and Premium variations)
The mounted model of Panda Dome, the buyer product, is 22.02.01. The mounted model of WatchGuard EPDR and AD360, the enterprise product, is 8.0.22.0023.
Timeline
2023-08-28: Proof of idea and detailed writeup despatched to the Panda safety group.
2023-09-21: Panda safety group responded and acknowledged our report.
2023-10-30: Panda safety group knowledgeable us of their plan to repair the problems.
2023-12-06: Panda informs us of the three CVEs assigned to those points.
2024-01-18: Fixes launched.